2. Another AWS account and IAM entity that needs access to the ECR repo in #1 (account ID 2222222222 in the examples below).

1. Allow Other AWS Accounts to Access ECR

First off, the ECR repository will need a repository policy that says, “Account 2222222222 can access this repository.” In this situation we want to allow read-only access: account 2222222222 should only be able to pull the images.

This policy will allow any IAM entity in account 2222222222 read-only access to the repository. This can be restricted to specific IAM entities by adjusting the principal ARN.

2. Allow the IAM Entity in the Client Account to Talk to ECR

The thing about service policies is that they only define what entities are allowed to access the resource, but those entities still need permissions to do so within the IAM system of the account itself.

More concretely: the repository policy above says, “Yeah, account 2222222222 can get images from this repository,” but the IAM system in account 2222222222 still has to allow those ECR actions to be called. An IAM policy for this looks nearly identical to the repository policy — just swap the Principal for Resources. We also need to allow the IAM entity to get an authorization token to authenticate with docker login

This will only allow an IAM entity (user, group, role, etc) access to the example repository. Note that entitys with power user access or admin access (the dreaded "Action": "*:*" won’t need this. When I had to do this earlier this year, it was to allow a IAM user used by TravisCI access to a repository and I did use this restricted permission set.

3. Getting ECR Credentials for docker login

If using the AWS CLI, set the --registry-ids flag when invoking the ecr get-login command:

The important thing here is that the ecr:GetAuthorizationToken call (via the CLI or otherwise) is happening on the calling account (2222222222 in our exmaple). The IAM entity is not getting an authorization token from account 1111111111 where the repository resides. The registry IDs only impact the generate docker login command when using the AWS CLI, in other words.